Impact Stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. Patches…
| CVE ID | CVE-2026-47762 |
| Vendor | npm |
| Affected Product | tinymce |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.7 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
Stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option.
Patched by validating decoded mce:protected content against configured protect regex rules before restoring. Users should upgrade to the latest patched version.
No official workaround available.
To avoid this vulnerability: Upgrade to TinyMCE 8.5.1 or higher. Upgrade to TinyMCE 7.9.3 or higher. Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial [long-term support](https://www.tiny.cloud/long-term-support/) contract).
Tiny thanks [Ivan Babenko](https://github.com/he1d3n) for their
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.